[WIP] Set up proxy

__tests__/helpers.ts

@@ -1,5 +1,5 @@
 import Docker from 'dockerode'
-import {UPDATER_IMAGE_NAME} from '../src/main'
+import {UPDATER_IMAGE_NAME, PROXY_IMAGE_NAME} from '../src/main'
 import waitPort from 'wait-port'
 import path from 'path'
 import {spawn} from 'child_process'
@@ -9,7 +9,10 @@ export const removeDanglingUpdaterContainers = async (): Promise<void> => {
   const containers = (await docker.listContainers()) || []
 
   for (const container of containers) {
-    if (container.Image.includes(UPDATER_IMAGE_NAME)) {
+    if (
+      container.Image.includes(UPDATER_IMAGE_NAME) ||
+      container.Image.includes(PROXY_IMAGE_NAME)
+    ) {
       try {
         await docker.getContainer(container.Id).remove({v: true, force: true})
       } catch (e) {

__tests__/server/server.js

@@ -45,12 +45,12 @@ server.get('/update_jobs/:id/credentials', (_, res) => {
   res.jsonp({
     data: {
       attributes: {
-        credentials: {
+        credentials: [{
           type: 'git_source',
           host: 'github.com',
           username: 'x-access-token',
           password: process.env.GITHUB_TOKEN
-        }
+        }]
       }
     }
   })

__tests__/updater-integration.test.ts

@@ -2,7 +2,7 @@ import axios from 'axios'
 
 import {APIClient, JobParameters} from '../src/api-client'
 import {ImageService} from '../src/image-service'
-import {UPDATER_IMAGE_NAME} from '../src/main'
+import {UPDATER_IMAGE_NAME, PROXY_IMAGE_NAME} from '../src/main'
 import {Updater} from '../src/updater'
 
 import {removeDanglingUpdaterContainers, runFakeDependabotApi} from './helpers'
@@ -40,7 +40,7 @@ describe('Updater', () => {
 
   const client = axios.create({baseURL: externalDependabotApiUrl})
   const apiClient = new APIClient(client, params)
-  const updater = new Updater(UPDATER_IMAGE_NAME, apiClient)
+  const updater = new Updater(UPDATER_IMAGE_NAME, PROXY_IMAGE_NAME, apiClient)
 
   beforeAll(async () => {
     // Skip the test when we haven't preloaded the updater image
@@ -49,6 +49,7 @@ describe('Updater', () => {
     }
 
     await ImageService.pull(UPDATER_IMAGE_NAME)
+    await ImageService.pull(PROXY_IMAGE_NAME)
 
     if (externalDependabotApiUrl === fakeDependabotApiUrl) {
       server = await runFakeDependabotApi(FAKE_SERVER_PORT)

__tests__/updater.test.ts

@@ -1,4 +1,4 @@
-import {UPDATER_IMAGE_NAME} from '../src/main'
+import {UPDATER_IMAGE_NAME, PROXY_IMAGE_NAME} from '../src/main'
 import {Updater} from '../src/updater'
 
 describe('Updater', () => {
@@ -12,7 +12,11 @@ describe('Updater', () => {
       dependabotAPIURL: 'http://host.docker.internal:3001'
     }
   }
-  const updater = new Updater(UPDATER_IMAGE_NAME, mockAPIClient)
+  const updater = new Updater(
+    UPDATER_IMAGE_NAME,
+    PROXY_IMAGE_NAME,
+    mockAPIClient
+  )
 
   it('should fetch job details', async () => {
     mockAPIClient.getJobDetails.mockImplementation(() => {

package.json

@@ -36,6 +36,7 @@
     "@types/dockerode": "^3.2.6",
     "@types/jest": "^26.0.24",
     "@types/node": "^16.4.6",
+    "@types/node-forge": "^0.10.0",
     "@types/tar-stream": "^2.2.1",
     "@typescript-eslint/parser": "^4.28.5",
     "@vercel/ncc": "^0.29.0",
@@ -49,6 +50,7 @@
     "js-yaml": "^4.1.0",
     "json-server": "^0.16.3",
     "lint-staged": "^11.1.1",
+    "node-forge": "^0.10.0",
     "prettier": "2.3.2",
     "ts-jest": "^27.0.4",
     "ts-node": "^10.1.0",

src/container-service.ts

@@ -1,21 +1,33 @@
 import * as core from '@actions/core'
 import {Container} from 'dockerode'
 import {pack} from 'tar-stream'
-import {FileFetcherInput, FileUpdaterInput} from './file-types'
+import {FileFetcherInput, FileUpdaterInput, ProxyConfig} from './file-types'
 
 export const ContainerService = {
   async storeInput(
     name: string,
     path: string,
     container: Container,
-    input: FileFetcherInput | FileUpdaterInput
+    input: FileFetcherInput | FileUpdaterInput | ProxyConfig
   ): Promise<void> {
     const tar = pack()
     tar.entry({name}, JSON.stringify(input))
     tar.finalize()
     await container.putArchive(tar, {path})
   },
 
+  async storeCert(
+    name: string,
+    path: string,
+    container: Container,
+    cert: string
+  ): Promise<void> {
+    const tar = pack()
+    tar.entry({name}, cert)
+    tar.finalize()
+    await container.putArchive(tar, {path})
+  },
+
   async run(container: Container): Promise<void> {
     try {
       const stream = await container.attach({

src/file-types.ts

@@ -25,3 +25,19 @@ export type DependencyFile = {
 export type FileUpdaterInput = FetchedFiles & {
   job: JobDetails
 }
+
+export type CertificateAuthority = {
+  cert: string
+  key: string
+}
+
+export type BasicAuthCredentials = {
+  username: string
+  password: string
+}
+
+export type ProxyConfig = {
+  all_credentials: Credential[]
+  ca: CertificateAuthority
+  proxy_auth: BasicAuthCredentials
+}

src/main.ts

@@ -8,6 +8,8 @@ import axios from 'axios'
 
 export const UPDATER_IMAGE_NAME =
   'docker.pkg.github.com/dependabot/dependabot-updater:latest'
+export const PROXY_IMAGE_NAME =
+  'docker.pkg.github.com/github/dependabot-update-job-proxy:latest'
 
 async function run(): Promise<void> {
   try {
@@ -24,8 +26,9 @@ async function run(): Promise<void> {
 
     const client = axios.create({baseURL: params.dependabotAPIURL})
     const apiClient = new APIClient(client, params)
-    const updater = new Updater(UPDATER_IMAGE_NAME, apiClient)
+    const updater = new Updater(UPDATER_IMAGE_NAME, PROXY_IMAGE_NAME, apiClient)
     await ImageService.pull(UPDATER_IMAGE_NAME)
+    await ImageService.pull(PROXY_IMAGE_NAME)
 
     await updater.runUpdater()
   } catch (error) {